Working with BIOCs - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product
Cortex XDR
License
Pro
Creation date
2023-10-31
Last date published
2024-03-18
Category
Administrator Guide
Abstract

Behavioral indicators of compromise (BIOCs) alert you to respond to potentially compromising behaviors.

Behavioral indicators of compromise (BIOCs) enable you to alert and respond to behaviors—tactics, techniques, and procedures. Instead of hashes and other traditional indicators of compromise, BIOC rules detect behavior such as is related to processes, registry, files, and network activity.

To enable you to take advantage of the latest threat research, the Cortex XDR tenant automatically receives pre-configured rules from Palo Alto Networks. These global rules are delivered to all tenants with content updates. In cases where you need to override a global BIOC rule, you can disable it or set a rule exception. You can also configure additional BIOC rules as you investigate threats on your network and endpoints. BIOC rules are highly customizable: you can create a BIOC rule that is simple or quite complex.

As soon as you create or enable a BIOC rule, the tenant begins to monitor input feeds for matches. It also analyzes historical data collected in the tenant. Whenever there is a match, or hit, on a BIOC rule, Cortex XDR logs an alert.

To further enhance the BIOC rule capabilities, you can also configure BIOC rules as custom prevention rules and incorporate them with your Restrictions profiles. The tenant can then raise behavioral threat prevention alerts based on your custom prevention rules in addition to the BIOC detection alerts.